Although necessary, the recent legislative requirements for data protection have become an additional burden for organisations. This is further complicated when sharing data internationally, as the legislation of the destination country also has to be considered. As this applies to small organisations just as much as to large multi-national corporations, it is now more important than ever to ensure data protection laws are adhered to.
Following an increasing number of data breaches, and the associated damage these have caused, governments have updated their data protection legislation, compelling organisations to take appropriate measures to protect personal data.
“A growing awareness of the necessity for data protection was caused by an increase in risk players and risk surfaces. Covid also had a role to play, in that everybody was working from home – suddenly all of these insecure networks were being used to access data. Laptops were just given to people working from home, without necessarily knowing how they should deal with data and how they should protect data,” says Nadia Kadhim, CEO of Naq Cyber, one of six companies currently being supported by innovation and startup hub Plexal’s Cyber Runway Ignite scheme.
The European Union’s (EU) General Data Protection Regulation (GDPR), which has been enacted in UK law as the Data Protection Act 2018, has become the de facto template for modern data protection regulation. “If you look at the data protection legislation around the world, from the California Consumer Privacy Act (CCPA) to the Protection of Personal Information Act (POPIA) in South Africa, they’re all based around GDPR. Even Middle Eastern countries have followed suit, looking at GDPR and taking as much as they can from it, before making their own differences,” says Kadhim.
“What’s interesting is that some countries, even within the EU, interpret GDPR in different ways, and put that in their national legislation,” she says. “The changes have not been too big, because countries are aware that if they diverge too much from GDPR, it makes it harder for companies within their country to do business with the EU.”
Data protection legislations typically incorporate three tiers of data protection:
- People: Employees having the appropriate training and access to data.
- Protection: Policies protecting user data from exposure and misuse.
- Technology: Having data and network security systems in place to mitigate hacking.
Despite GDPR being considered a standard for data protection legislation, variances exist between countries, as nations interpret the provisions differently and exert their own cultural influences. For example, the UK’s Data Protection Act 2018 does not require data protection representatives, as described in GDPR. Even in the EU, variances exist. German organisations are obliged to have an officially registered data protection officer (DPO), but in the Netherlands, this is only applicable for a public authority.
This lack of unity between data protection legislation can make sharing data between countries a complex process.
Sharing data within the EU is relatively easy, as the alliance allows for the free movement of data between member states. However, for countries that are not part of the EU, an adequacy decision needs to be agreed between the two nations. This is where both countries recognise that the data protection legislation of the other country is adequate for protecting their citizens’ data.
In cases where the country is not part of the EU and an adequacy agreement is not in place, they are listed a third country, which refers to any country outside the EU and its economic structures (the single market and the customs union). In this case, standard contractual clauses will be needed for every exchange of data, which can be complex and time-consuming.
This is especially difficult for the UK. Originally, the UK was able to freely share information with other member states. However, when the UK left the EU, on 31 January 2020, the country essentially became a “third country” as far as EU data protection laws were concerned. This changed, again, on 28 June 2021, when the UK gained an adequacy agreement with the EU. However, information sharing relating to immigration is excluded from the scope of the adequacy decision.
Large multinational organisations were originally the focus of data protection compliance oversight bodies, such as the Information Commissioner’s Office (ICO). However, as networking capabilities have increased, information sharing has become easier, thus enabling smaller companies to share increasingly large amounts of information. Consequently, smaller companies are now being scrutinised far more, to ensure they are taking all of the appropriate measures.
Legislation needs to keep up
A further issue is that data protection regulations are typically written by legislators and not by people that have experience with technology. Since technology is always evolving, legislation needs to keep up, but often lags behind development.
“GDPR has been written by people in Europe that don’t necessarily understand how cyber security on networks, devices and cloud applications work,” says Kadhim. “They have taken that into account by saying there needs to be appropriate technical cyber security measures, but organisations can decide themselves what is appropriate on the basis of the risk. In terms of enforcement, they are now increasingly looking at smaller businesses, as organisations need to be held accountable for what they do or don’t do in terms of people’s data.”
Organisations also need to consider business-specific data protection, such as those for operating in the education, financial, defence and healthcare sectors. Business sector data protection requirements are often conducted as a box-ticking exercise on a spreadsheet. As such, they are an overview of a company at a static moment in time and do not take into account how networks evolve or expand over time, or when licences expire.
“If a multi-thousand-pound deal with the NHS or Ministry of Defence depends on a successful review of a spreadsheet, then the answer will usually be yes to everything,” says Kadhim. “This is exactly why I am not a fan of due diligence questionnaires or certifications, because even certifications are a moment in time reflection of something that might or might not be completely true and implemented – I’m of the opinion that something should be in place that offers a real-time continuous overview of the security posture.”
Added to this is the issue of export control: legislation regulating the export of restricted goods, including software, technology and information. This is another set of data compliances that organisations need to be aware of and abide by, as well as requiring exporters to apply for a licence to export data covered by these controls.
Streamlining the process
Despite the multitude of challenges surrounding data protection regulations, compliance is always a good thing, as it streamlines the information sharing process. Furthermore, organisations that emphasise their data protection compliances will highlight to customers that they take their responsibilities seriously “They can be a responsible organisation and use this as a competitive advantage, especially when it comes to B2B companies where it can be used as an investment in getting deals,” says Kadhim. “For other companies, they should be aware that it’s the responsible thing to do.”
Conversely, there are also financial penalties and the associated reputational harm attached to being in breach of data protection legislation. As regulators like the ICO expand their oversight to incorporate smaller companies, the risk of organisations being found in breach of data protection regulation increases.
Given the time and expertise required to comply with the various data protection policies, technologies are being developed to automate many of the responsibilities expected by organisations. For example, the GDPR compliance tool from Naq automatically generates the documentation relevant to an organisation, as well as offering the necessary training modules and ensuring the appropriate security measures are in place.
The future of data protection remains a complex and fluid challenge. The information generation and sharing capabilities of artificial intelligence (AI) and machine learning raises the question of who owns data that has been using AI: is it the owner of the AI, the person whose data was used to generate the information or someone else?
The EU seeks to address some of these issues with the forthcoming Data Act. The act will introduce new rules that will make more data available for reuse by addressing the legal, economic and technical issues that lead to data being under-used. One possible consequence of this act will be that organisations will need to ensure that their data is not held in a proprietary format and that it can be easily transferred to another organisation.
“Legislation will never be as quick as new developments in industry and they’re going to try to retrospectively arrange and legislate things that have already happened,” says Kadhim.
Complying with a multitude of data protection legislations can be complex and time-consuming for organisations. This is especially true for smaller companies, which may not have the necessary expertise to understand the legislative requirements expected of them. Data compliance tools can automate the process, generating the necessary documentation and ensuring that organisations have suitable data protection policies, together with being able to follow them.